[andrewuk]

it is ok to go onto STEP 3 and STEP 4 if you cant do STEP 2.

but firstly, just to make sure on STEP 2:

you opened a blank notepad, copied and pasted the contents of the codebox into it, then saved the notepad as fixit.reg onto your desktop, closed the notepad and then tried to double click the reg file on your desktop called fixit.reg?

andrewuk

[Advertisements]

ok, i got 1 warning message

Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be supported on this version of Windows.

and to the reg thingy..yes i named it fixit.reg

[shaz]

ok, i got 1 warning message

Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be supported on this version of Windows.

and to the reg thingy..yes i named it fixit.reg

[andrewuk]

ok, go onto STEP 4 then.

[shaz]

hi andrew, heres those logs....sorry took so long

C:\WINDOWS\System32\TFTP2972 moved successfully.
C:\WINDOWS\System32\TFTP2848 moved successfully.
C:\WINDOWS\System32\TFTP1056 moved successfully.
C:\WINDOWS\System32\TFTP3940 moved successfully.
C:\WINDOWS\System32\TFTP2216 moved successfully.
C:\WINDOWS\System32\setup_56458.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\hqghumea.dll
C:\WINDOWS\System32\hqghumea.dll NOT unregistered.
C:\WINDOWS\System32\hqghumea.dll moved successfully.
C:\WINDOWS\System32\wmsoft11721.exe moved successfully.
C:\WINDOWS\System32\f4.exe moved successfully.
C:\WINDOWS\System32\27031_redworld.exe moved successfully.
C:\WINDOWS\System32\TFTP456 moved successfully.
C:\WINDOWS\System32\TFTP104 moved successfully.
C:\WINDOWS\System32\TFTP3424 moved successfully.
C:\msu32.exe moved successfully.
File/Folder C:\WINDOWS\System32\nvsvc86.exe not found.
File/Folder C:\WINDOWS\System32\mdms.exe not found.
File/Folder C:\WINDOWS\System32\mdm.exe not found.
File/Folder C:\WINDOWS\rundll32.exe not found.

OTMoveIt2 v1.0.20 log created on 03122008_074050


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 13, 2008 1:43:21 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 625556
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 31342
Number of viruses found: 7
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 02:28:21

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080311131356\backup\DOCUME~1\user\LOCALS~1\Temp\G6-tmp1i.exe Infected: Trojan-Downloader.Win32.Delf.fhp skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Desktop\Document.rtf Object is locked skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\user\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\AutoRecovery save of Document.asd Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\tbpwbad.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\tbpwbcm.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF32EF.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF67F8.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF8BC9.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF8BFD.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFCF4A.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRC0000.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRL0925.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRL2026.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRL4002.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Office\Templates\Normal.dot Object is locked skipped
C:\SDFix\backups\backups.zip/backups/lo.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\SDFix\backups\backups.zip/backups/o Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups\backups.zip/backups/rundll32.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\SDFix\backups\catchme.zip/jkghje.dll Infected: Trojan.Win32.Agent.fgw skipped
C:\SDFix\backups\catchme.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0338918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0339918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0339922.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0340919.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0341918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0342918.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0342919.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0342927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0343927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0343928.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0344927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0344928.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0345927.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP102\A0345933.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0349944.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0349945.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0350940.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0350945.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0351944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0352944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0353944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0355944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356945.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356946.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0356950.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0357944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358944.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358952.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358956.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0358964.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0359964.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0359969.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP103\A0359975.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360975.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360976.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360987.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360988.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360993.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0360994.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP104\A0361995.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0361996.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0361997.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0362005.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0362006.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP105\A0364993.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0364997.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0364998.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0364999.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0365989.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0365994.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0366002.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP106\A0367002.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369003.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369008.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369016.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369017.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP107\A0369018.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0369024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0370024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0371024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0371025.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372024.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372025.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0372033.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0373032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0374032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0375032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0375033.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376032.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376035.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376037.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376038.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376047.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376048.exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP108\A0376050.dll Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP109\A0378063.exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379266.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379267.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379281.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP110\A0379282.exe Infected: Trojan.Win32.StartPage.axj skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP111\A0384311.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP111\A0386316.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP111\A0386317.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP111\A0386324.exe Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP113\A0388549.dll Object is locked skipped
C:\System Volume Information\_restore{1E3161C5-733A-47AC-9AD8-1257F05885DC}\RP113\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\GX0PICTZSNYEMMO.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLIJWLM7\84785_redworld[1].exe Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\54200_netapi[1].exe Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\84785_redworld[1].exe Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\temp\ZLT05912.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT05950.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\a.exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\arr[1].jpg Object is locked skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mixit[1].exe Object is locked skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\mmdmm[1].exe Infected: Backdoor.Win32.IRCBot.bsl skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1UBWLEZ\mumie[1].exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\mmdmm[3].exe Object is locked skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\_OTMoveIt\MovedFiles\03112008_111746\WINDOWS\system32\mdm.exe Infected: Backdoor.Win32.IRCBot.bvp skipped
C:\_OTMoveIt\MovedFiles\03122008_074050\WINDOWS\System32\27031_redworld.exe Object is locked skipped
C:\_OTMoveIt\MovedFiles\03122008_074050\WINDOWS\System32\f4.exe Object is locked skipped
C:\_OTMoveIt\MovedFiles\03122008_074050\WINDOWS\System32\hqghumea.dll Object is locked skipped
C:\_OTMoveIt\MovedFiles\03122008_074050\WINDOWS\System32\wmsoft11721.exe Object is locked skipped

Scan process completed.

[andrewuk]

Hi shaz

the kaspersky scan only picked up infections that are already safely quartanined or in system restore points (which we will clear at the end), so good news there

i do, however, suspect you may have a rootkit on your machine. the failed sophos scan somewhat concerns me. so we will see if we can hunt this rootkit down.

out of interest, how is your machine running now?

====STEP 1====
i noticed some infected files in your systems profile to delete first.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLIJWLM7\84785_redworld[1].exe
  C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\54200_netapi[1].exe
  C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\84785_redworld[1].exe

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


In your next reply could i see:
1. the OTMoveIT log
2. the combofix text
3. a new hijackthis log
4. some idea of how your machine is running now

there may be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk

[andrewuk]

still with us?

[andrewuk]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[andrewuk]

topic re-opened, user returned.

[shaz]

thanks andrew....i went to where we last left off, heres those logs, pc seems to be running alot better ty

File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLIJWLM7\84785_redworld[1].exe not found.
File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SJUX07MN\54200_netapi[1].exe not found.
File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXMRO5A3\84785_redworld[1].exe not found.

OTMoveIt2 v1.0.20 log created on 03282008_053819

ComboFix 08-03-26.3 - user 2008-03-28 5:50:48.4 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
MTEE /+ d-delA.dat


((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 13:11 . 2007-07-13 17:25 27,072 --a------ C:\WINDOWS\system32\drivers\PCASp50.sys
2008-03-15 17:36 . 2008-03-15 17:36 <DIR> d-------- C:\Documents and Settings\user\Application Data\Alien Skin
2008-03-14 14:14 . 2008-03-14 14:14 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2008-03-13 15:06 . 2008-03-13 15:06 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-13 14:18 . 2008-03-14 14:13 3,082 --a------ C:\WINDOWS\system32\affv9869p2now.sys
2008-03-13 10:48 . 2008-03-13 10:48 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2008-03-13 10:48 . 2008-03-13 10:48 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2008-03-13 10:48 . 2008-03-13 15:08 <DIR> d-------- C:\Program Files\Freecorder
2008-03-13 10:47 . 2008-03-13 10:47 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-03-13 10:45 . 2008-03-13 10:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\GetRightToGo
2008-03-13 10:44 . 2008-03-13 10:44 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-03-13 10:44 . 2008-03-13 15:06 <DIR> d-------- C:\Program Files\FLV Player
2008-03-13 10:42 . 2008-03-13 13:25 <DIR> d-------- C:\Program Files\Smart FLV Converter
2008-03-12 17:48 . 2008-03-12 17:48 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-03-12 08:33 . 2008-03-12 08:33 <DIR> d-------- C:\Program Files\Sophos
2008-03-12 07:44 . 2008-03-12 07:46 62,316,260 --a------ C:\backup.reg
2008-03-11 21:10 . 2008-03-11 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-11 21:05 . 2008-03-11 21:05 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-03-11 21:05 . 2008-03-11 21:05 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-03-11 21:05 . 2002-01-05 07:48 974,848 --------- C:\WINDOWS\system32\mfc70.dll
2008-03-11 21:05 . 2002-01-05 07:10 57,344 --------- C:\WINDOWS\system32\mfc70enu.dll
2008-03-11 21:04 . 2008-03-11 21:04 <DIR> d-------- C:\Program Files\Macromedia
2008-03-11 17:26 . 2008-03-11 17:26 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-03-11 17:25 . 2008-03-12 17:24 <DIR> d-------- C:\E-Zsoft
2008-03-11 17:05 . 2008-03-11 17:05 <DIR> d-------- C:\Documents and Settings\user\Application Data\vlc
2008-03-11 16:32 . 2008-03-14 14:47 <DIR> d-------- C:\Program Files\Blaze Media Pro
2008-03-11 16:31 . 2008-03-11 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2008-03-11 12:48 . 2008-03-11 12:48 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-03-11 12:37 . 2008-03-11 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-11 12:35 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-11 12:35 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-11 12:35 . 2008-03-11 12:48 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-11 12:30 . 2008-03-11 12:35 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-03-11 12:30 . 2008-03-11 12:30 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-11 12:30 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-03-11 12:30 . 2008-03-28 06:04 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-03-11 12:21 . 2008-03-28 06:07 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-09 14:55 . 2008-03-09 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 14:16 . 2008-03-09 14:16 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-03-09 14:16 . 2008-03-09 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-09 14:15 . 2008-03-09 14:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-09 10:10 . 2008-03-09 10:10 <DIR> d-------- C:\_OTMoveIt
2008-03-09 08:13 . 2008-03-09 08:45 <DIR> d-------- C:\SDFix
2008-03-08 08:03 . 2008-03-08 08:45 1,292 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-08 05:15 . 2008-03-08 05:15 <DIR> d-------- C:\Deckard
2008-03-07 09:43 . 2008-03-07 09:43 <DIR> d-------- C:\Program Files\Files-Secure
2008-03-07 08:55 . 2008-03-07 09:30 45 --a------ C:\amp.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 03:03 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-03-26 03:06 --------- d-----w C:\Program Files\Telstra
2008-03-17 09:50 --------- d-----w C:\Program Files\DX-Ball
2008-03-14 04:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 03:33 2,019,328 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-11 11:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 00:22 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-08 11:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 02:41 --------- d-----w C:\Program Files\Acoustica MP3 CD Burner
2008-02-13 21:53 --------- d-----w C:\Documents and Settings\user\Application Data\MSN6
2008-02-04 05:13 --------- d-----w C:\Program Files\wgcenter
2008-02-04 03:59 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 12:12 --------- d-----w C:\Documents and Settings\user\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-03-11 12:48 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-03-11 12:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-03-11 12:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-13 16:10 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 11:19 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-24 09:19 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"BigPondWirelessBroadbandCM"="C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-01-29 14:38 2166784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-07-17 06:26 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-30 09:28 219136]
"Network Security XP"="C:\WINDOWS\System32\nvsvc86.exe" [ ]
"OfficeWord Monitors XP"="C:\WINDOWS\System32\mdms.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-17 06:37 51200 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Office Startup.lnk]
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-06-13 16:10 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-10-04 06:47 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-06-01 13:32 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-03-30 07:45 220160 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office]
C:\WINDOWS\System32\mdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Driver]
C:\WINDOWS\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-04-10 00:03 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security XP]
C:\WINDOWS\System32\nvsvc86.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-24 09:19 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MS NET Service"=2 (0x2)
"gusvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Windows Driver"=C:\WINDOWS\rundll32.exe
"Microsoft Oftice"=C:\WINDOWS\System32\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
"Windows Networking Monitoring"=C:\WINDOWS\System32\mdm.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)


.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 07:15:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 06:05:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\System32\2.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-03-28 6:22:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 20:22:08
Pre-Run: 2,022,850,560 bytes free
Post-Run: 2,115,944,448 bytes free
.
2007-10-03 00:13:48 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:01 AM, on 28/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6325 bytes

[andrewuk]

almost done, i suspect. all going well then after this we can update your SP1 before wrapping this all up


====STEP 1====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool

• Click on the Scan button.
• Select everything it is displaying there
• Click the Fix button.
• Then rescan with DAFT again - it should say now that "All associations are OK"
• Close DAFT if you receive that message. This means that it is fixed now.

====STEP 2====
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security XP"=-
"OfficeWord Monitors XP"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications"=dword:00000000

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Driver]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security XP]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

====STEP 3====
i just want to see the extra.txt from this

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back extra txt only


In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the extra.txt log

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk

[shaz]

thanks again....heres the logs....btw, all my file folders can only be opened up by right clicking then select open...i cant just click to open them without it going to the search folder first....any ideas how to fix this?


ComboFix 08-03-26.3 - user 2008-03-28 17:08:28.5 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
MTEE /+ d-delA.dat


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-26 13:11 . 2007-07-13 17:25 27,072 --a------ C:\WINDOWS\system32\drivers\PCASp50.sys
2008-03-15 17:36 . 2008-03-15 17:36 <DIR> d-------- C:\Documents and Settings\user\Application Data\Alien Skin
2008-03-14 14:14 . 2008-03-14 14:14 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2008-03-13 15:06 . 2008-03-13 15:06 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-13 14:18 . 2008-03-14 14:13 3,082 --a------ C:\WINDOWS\system32\affv9869p2now.sys
2008-03-13 10:48 . 2008-03-13 10:48 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2008-03-13 10:48 . 2008-03-13 10:48 <DIR> d-------- C:\Program Files\Freecorder Toolbar
2008-03-13 10:48 . 2008-03-13 15:08 <DIR> d-------- C:\Program Files\Freecorder
2008-03-13 10:47 . 2008-03-13 10:47 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-03-13 10:45 . 2008-03-13 10:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\GetRightToGo
2008-03-13 10:44 . 2008-03-13 10:44 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-03-13 10:44 . 2008-03-13 15:06 <DIR> d-------- C:\Program Files\FLV Player
2008-03-13 10:42 . 2008-03-13 13:25 <DIR> d-------- C:\Program Files\Smart FLV Converter
2008-03-12 17:48 . 2008-03-12 17:48 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-03-12 08:33 . 2008-03-12 08:33 <DIR> d-------- C:\Program Files\Sophos
2008-03-12 07:44 . 2008-03-12 07:46 62,316,260 --a------ C:\backup.reg
2008-03-11 21:10 . 2008-03-11 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-11 21:05 . 2008-03-11 21:05 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-03-11 21:05 . 2008-03-11 21:05 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-03-11 21:05 . 2002-01-05 07:48 974,848 --------- C:\WINDOWS\system32\mfc70.dll
2008-03-11 21:05 . 2002-01-05 07:10 57,344 --------- C:\WINDOWS\system32\mfc70enu.dll
2008-03-11 21:04 . 2008-03-11 21:04 <DIR> d-------- C:\Program Files\Macromedia
2008-03-11 17:26 . 2008-03-11 17:26 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-03-11 17:25 . 2008-03-12 17:24 <DIR> d-------- C:\E-Zsoft
2008-03-11 17:05 . 2008-03-11 17:05 <DIR> d-------- C:\Documents and Settings\user\Application Data\vlc
2008-03-11 16:32 . 2008-03-14 14:47 <DIR> d-------- C:\Program Files\Blaze Media Pro
2008-03-11 16:31 . 2008-03-11 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2008-03-11 12:48 . 2008-03-11 12:48 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-03-11 12:37 . 2008-03-11 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-11 12:35 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-11 12:35 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-11 12:35 . 2008-03-11 12:48 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-11 12:30 . 2008-03-11 12:35 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-03-11 12:30 . 2008-03-11 12:30 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-11 12:30 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-03-11 12:30 . 2008-03-28 06:13 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-03-11 12:21 . 2008-03-28 16:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-09 14:55 . 2008-03-09 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 14:16 . 2008-03-09 14:16 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-03-09 14:16 . 2008-03-09 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-09 14:15 . 2008-03-09 14:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-09 10:10 . 2008-03-09 10:10 <DIR> d-------- C:\_OTMoveIt
2008-03-09 08:13 . 2008-03-09 08:45 <DIR> d-------- C:\SDFix
2008-03-08 08:03 . 2008-03-08 08:45 1,292 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-08 05:15 . 2008-03-08 05:15 <DIR> d-------- C:\Deckard
2008-03-07 09:43 . 2008-03-07 09:43 <DIR> d-------- C:\Program Files\Files-Secure
2008-03-07 08:55 . 2008-03-07 09:30 45 --a------ C:\amp.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 22:01 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-03-26 03:06 --------- d-----w C:\Program Files\Telstra
2008-03-17 09:50 --------- d-----w C:\Program Files\DX-Ball
2008-03-14 04:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 03:33 2,019,328 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-11 11:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 00:22 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-08 11:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 02:41 --------- d-----w C:\Program Files\Acoustica MP3 CD Burner
2008-02-13 21:53 --------- d-----w C:\Documents and Settings\user\Application Data\MSN6
2008-02-04 05:13 --------- d-----w C:\Program Files\wgcenter
2008-02-04 03:59 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 12:12 --------- d-----w C:\Documents and Settings\user\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-03-11 12:48 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-03-11 12:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-03-11 12:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-13 16:10 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 11:19 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-24 09:19 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"BigPondWirelessBroadbandCM"="C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-01-29 14:38 2166784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-07-17 06:26 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-30 09:28 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-17 06:37 51200 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Office Startup.lnk]
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-06-13 16:10 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-10-04 06:47 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-06-01 13:32 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-03-30 07:45 220160 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-04-10 00:03 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-24 09:19 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MS NET Service"=2 (0x2)
"gusvc"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Windows Driver"=C:\WINDOWS\rundll32.exe
"Microsoft Oftice"=C:\WINDOWS\System32\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
"Windows Networking Monitoring"=C:\WINDOWS\System32\mdm.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\System32\DRIVERS\cmusbnet.sys [2007-06-22 10:54]
R3 cmusbser;%CMUSBSER%;C:\WINDOWS\System32\DRIVERS\cmusbser.sys [2006-12-13 19:31]
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINDOWS\System32\drivers\cwbmidi.sys [2001-08-17 22:19]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\System32\drivers\cwbwdm.sys [2001-08-17 22:19]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\System32\2.tmp []
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2003-07-17 06:27]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\PCASp50.sys [2007-07-13 17:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 07:15:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 17:20:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\System32\2.tmp"
.
Completion time: 2008-03-28 17:26:23
ComboFix-quarantined-files.txt 2008-03-28 07:26:15
ComboFix2.txt 2008-03-27 20:22:22
Pre-Run: 2,125,348,864 bytes free
Post-Run: 2,109,210,624 bytes free
.
2007-10-03 00:13:48 --- E O F ---


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 127.55 MiB / 44.83 MiB
Pagefile Memory (total/avail): 307.97 MiB / 104.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 8.03 GiB total, 2.12 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST38410A - 8.03 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 8.03 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GX0PICTZSNYEMMO
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\GX0PICTZSNYEMMO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0502
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=GX0PICTZSNYEMMO
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems PCI Soft Modem --> agrsmdel
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BigPond ADSL SIK 5.6 Files --> C:\Program Files\Telstra\sikuninst.exe
BigPond Wireless Broadband 2.10.4 --> MsiExec.exe /I{4FDE2E3A-3CB0-4098-B8D0-ED3CA3E22777}
Blaze Media Pro --> "C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\setup_blazemp.exe" REMOVE=TRUE MODIFY=FALSE
DX-Ball 1.09 --> C:\PROGRA~1\DX-Ball\UNWISE.EXE C:\PROGRA~1\DX-Ball\INSTALL.LOG
Files Secure --> C:\Program Files\Files-Secure\Uninstall.exe
Freecorder Toolbar 3.0 Application --> "C:\WINDOWS\Freecorder Toolbar\uninstall.exe" "/U:C:\Program Files\Freecorder Toolbar\Uninstall\uninstall.xml"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Fireworks MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 97, Professional Edition --> C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Nero 7 Essentials --> MsiExec.exe /I{F17F7703-1E72-40C1-A0DD-E5B365661033}
Smart FLV Converter 2.1 --> "C:\Program Files\Smart FLV Converter\unins000.exe"
Sophos Anti-Rootkit 1.3.1 --> C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
WinAVIVideoConverter --> "C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
World Gaming Center Version 2.1.2 with Gamescript Files --> "C:\Program Files\wgcenter\unins000.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type2874 / Error
Event Submitted/Written: 03/28/2008 05:52:30 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: 0x2ee7

Event Record #/Type2864 / Success
Event Submitted/Written: 03/28/2008 06:49:09 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2818 / Success
Event Submitted/Written: 03/27/2008 01:19:42 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2790 / Success
Event Submitted/Written: 03/26/2008 03:51:23 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2789 / Error
Event Submitted/Written: 03/26/2008 03:48:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application LimeWire.exe, version 1.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1319 / Error
Event Submitted/Written: 03/28/2008 05:40:25 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 121.216.230.254 for the Network Card with network address 00A0C6000000 has been
denied by the DHCP server 124.179.182.49 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type1315 / Error
Event Submitted/Written: 03/28/2008 05:37:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type1314 / Error
Event Submitted/Written: 03/28/2008 05:37:34 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type1313 / Error
Event Submitted/Written: 03/28/2008 05:37:01 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type1312 / Error
Event Submitted/Written: 03/28/2008 05:37:01 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.



-- End of Deckard's System Scanner: finished at 2008-03-28 17:58:03 ------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:23 PM, on 28/03/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\Utility\Application\QMICM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6362 bytes

[andrewuk]

btw, all my file folders can only be opened up by right clicking then select open...i cant just click to open them without it going to the search folder first....any ideas how to fix this?

sounds like quite a simple fix should be needed, and does not sound malware related. out of interest, when did this start?

in this post we will update your java and try and fix your file/folder issue. in the next post we will update you to SP2 and then, hopefully, wrap up in the following post.


====STEP 1====

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  
  • Java Runtime Environment (JRE) 6 Update 5
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  Downloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

====STEP 2====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
regsvr32 /i shell32.dll


let me know if that fixes your file/folder clicking probem.

andrewuk

[shaz]

waalah that fixed my folders problem, your a genius..ty....was having that problem for about a month now, computer does seem to be running good, thanks again...so whats next?

[andrewuk]

two more posts to wrap this up, firstly we need to update you to SP1.

Service Pack 2
You also do not have Service Pack 2 for Windows XP installed, which is a CRITICAL part of keeping your system protected. Without the Service Pack 2 installed, your system is vulnerable and wide open to re-infection. I suggest you visit the Windows Update Site immediately which can be found Here

Please let me know if you encounter any errors in the process of installing SP2. If you do, it may mean that your PC is still infected so please let me know.

Please post a HJT log after the above along with letting me know how the SP2 installation went.

andrewuk

[shaz]

hi andrew

sorry taken so long....wasnt able to download sp2...do have another problem though...cant sign into msn at all...not live messenger or hotmail or any msn sites...can u help me out there pls.....oh heres the hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:23 PM, on 4/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\Utility\Application\QMICM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" -tsr
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206747410319
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206748844851
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7770 bytes